Data Protection Impact Assessment (DPIA
- Data Protection Impact Assessment (DPIA
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. You must do a DPIA for data processing that is likely to result in a high risk to individuals. This includes some specified types of processing. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
Risk Imperium will provide a DPIA review service to your organisation for projects involving personally identifiable data.
- Your DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
- To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
- You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
- If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
- If you are processing for law-enforcement purposes, you should read this alongside the Guide to Law Enforcement Processing.
- The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.
- DPIA awareness checklist
☐ We provide training so that your staff understand the need to consider a DPIA at the early stages of any plan involving personal data.
☐ Your existing policies, processes and procedures include references to DPIA requirements.
☐ We help your staff understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA, where necessary.
☐ We will create and documented a DPIA process for your organisation.
☐ We provide training for relevant staff on how to carry out a DPIA.